IPSWDownload
iOS
iPadOS
macOS
tvOS
visionOS
Guides
iOSiPadOSmacOStvOSvisionOSGuides
IPSWDownload.com

The premier archive for Apple firmware downloads. Browse, search, and securely download official IPSW files for iPhone, iPad, Mac, Apple TV, and Apple Vision Pro.

Platforms

  • iOS FirmwareiOS Firmware
  • iPadOS FirmwareiPadOS Firmware
  • macOS FirmwaremacOS Firmware
  • tvOS FirmwaretvOS Firmware
  • visionOS FirmwarevisionOS Firmware

Quick Links

  • Home DirectoryHome Directory
  • Guides & TutorialsGuides & Tutorials
  • About UsAbout Us
  • Privacy PolicyPrivacy Policy
  • Terms of ServiceTerms of Service
  • Contact UsContact Us

© 2026 IPSWDownload. All rights reserved.| Last Updated: June 29, 2026

Disclaimer: This website is an independent archive and is not affiliated with, authorized, maintained, sponsored, or endorsed by Apple Inc. "Apple", "iOS", "iPadOS", "tvOS", "macOS", "visionOS", "iPhone", "iPad", "Apple TV", "Mac", and "Apple Vision Pro" are registered trademarks of Apple Inc. All firmware links originate from official Apple servers.

All Guides

Checkm8 Exploit: How Bootrom Vulnerabilities Work

July 3, 20266 min read

In 2019, a security researcher released "checkm8", an exploit that sent shockwaves through the iOS security community. It is an unpatchable vulnerability in the bootrom of hundreds of millions of Apple devices (from the iPhone 4S up to the iPhone X).

What is the Bootrom?

The bootrom (SecureROM) is the very first piece of code that runs when you turn on an iPhone. It is burned directly into the silicon processor at the factory. Because it is read-only memory (ROM), it can never be updated or patched by an IPSW firmware update.

The bootrom's job is to verify the digital signature of the next stage of the bootloader (iBoot). This creates Apple's "Chain of Trust."

How Checkm8 Breaks the Chain

Checkm8 exploits a "use-after-free" vulnerability in the USB code of the bootrom. By sending a carefully crafted USB request via a computer during DFU mode, an attacker can crash the bootrom and execute their own code before Apple's signature checks even run.

This allows jailbreak tools (like checkra1n and palera1n) to boot modified, unsigned firmware, completely bypassing Apple's security.

Why doesn't it work on the iPhone 11 and newer?

Apple identified the USB vulnerability during the manufacturing of the A12 Bionic chip (iPhone XS/XR) and fixed the code burned into the silicon. All devices from A12 onward are completely immune to checkm8.

Step-by-Step Instructions

Frequently Asked Questions

Can an OTA update fix a bootrom exploit?

No. Bootrom is physical hardware (Read-Only Memory). Software updates (OTA or IPSW) can only modify the flash storage, not the ROM.

Is Checkm8 untethered?

No. Because the exploit must be triggered over USB during the boot sequence, if the phone dies or reboots, it will boot up normally into stock iOS. You must connect it to a computer to re-trigger the exploit.

Can checkm8 bypass iCloud?

It can be used to temporarily hide the setup app, but a true iCloud Activation Lock bypass is impossible as the lock is server-side.

Was this guide helpful?